Schedule

Security updates are a reality, so we need a better way to push out updates to people who
desire them. With that in mind, the goal is to implement this system for Firefox 1.5.

The Plan

Revise the existing toolkit code which downloads XPI updates. Provide a silent mode that will be used for security updates. Do this only if the user has agreed (via some UI during installation perhaps) and only if the user has write permission to the installation directory. We don't want this update system to get in the way of RPM or MSI based solutions, etc.

Use a XPI-like package to deliver the update. The update itself will contain a manifest of files which need updating/removal. The update may happen once the download is complete, at app shutdown, or the next time Firefox is launched. That behavior is a policy decision to be decided upon by the user-facing update service.

The application must not be running while the update is being installed. Our systems, including the JAR cache, are not designed to deal with changes to their underlying files. In addition, the Windows filesystem does not allow files to be unlinked from their parent directory while they are in use. The Firefox executable will run a separate update binary (using execv or another method). This executable will process the update manifest and may leverage the binary patching technology of bsdiff (with modifications for reliability). Once the update executable completes, it will re-launch the Firefox executable. This will allow Firefox to perform any post-upgrade operations (e.g., modifying registry keys, etc.).

Users will have the option to view silent upgrade progress, and choose to cancel, suspend, or "complete it now." They will also be provided with simple controls to alter the upgrade policy (notifications, silent or not, etc.).

Downloading the Update

Firefox will periodically check the Mozilla.org update servers (AUS) for available updates. The update server will return a manifest file (which is a simple XML file) over HTTPS that will point Firefox at the right update package to download.

In silent download mode, Firefox will use byte-range requests (supported by the Mozilla.org mirror network) to download the update package in small pieces. Each time Firefox starts up it will check to see if it should resume downloading the update package. It will not try to download the update package while Firefox is not running. This simplifies the implementation of the downloading system because it enables us to make use of the Firefox networking stack. Firefox will try to minimally impact the user's network bandwidth in the process.

Once the update package has been completely downloaded, it's integrity will be verified by computing a hash (e.g., SHA-2) over the entire update package. This hash will be compared to a hash included in the XML file received from AUS. If the hash checks out, then assuming that Firefox has permission from the user, it will unpack the update package and signal Firefox to start the upgrade process.

Processing the Update

At startup, Firefox will look for an update manifest in a fixed location. If it finds the manifest, then assuming it has permission from the user it will launch the update executable to process that manifest.

Before making any changes to the existing Firefox installation, the update executable will scan all files to be modified and verify that they are the expected version. If it finds that any files are not in sync with what it expects to find, then it will not apply the update. Otherwise, it will proceed to either: add, remove, replace, or patch existing files.

Before the update executable exits, it will record status to a log file that will be read by Firefox on next launch to determine if the update was successfully applied. This will allow Firefox to present good UI to the user in the advent of an unexpected problem.